Virus Database

Prowler.1543

Description Prowler.1543

These are relatively harmless, memory resident encrypted multipartite viruses. They infect the MBR of the hard drive and write themselves to the end of COM (except COMMAND.COM) and EXE files that are executed, and the viruses hook INT 21h to do that. The MBR is infected when an infected file is executed. To install the TSR copy while loading from an infected MBR, the viruses also temporarily hook INT 1Ch (timer).
Upon loading from infected MBR on 13th of any month, the viruses manifest themselves as a sound and video effect and display the following message:
I am +he Midnigh+ Pr0wler, s0n 0f +he m00n
And I am the child 0f +he ?? genera+i0nall.

where ?? is virus generation.

Check other viruses! Be aware! Use Antiviral Software

Backdoor.Agobot.a

Description Backdoor.Agobot.a

Backdoor.Agobot (also known as PhatBot) is a Trojan program which provides the author/ user with remote access to the victim machine. It is managed via IRC. It has a wide range of functionalities:
will not work with a debugger running or under Vmware
it can run both as a standard application and as a service (when running under Windows NT/2000/XP)
when copying itself to the Windows system folder (on first being launched) it attmepts to encode the copy and write the decoder to the body of the copy (polymorphic code)
adds to the HOSTS file the IP address 127.0.0.1 for the sites of some antivirus companies (to hinder the updating of antivirus databases)
monitors the network and copies all interesting packets (e.g. packets containing passwords for FTP servers, e-payment systems such as PayPal etc.)
scans other computers for the presence of common vulnerabilities such as DCOM RPC, UpnP, WebDAV and others, and then installs itself on the vulnerable machine
searches the victim machine for AOL logs, passwords for certain computer games, and email addresses, and sends all this information to its author/ user
conducts DoS attacks (SYN-flood, Targa and others)
launches proxy servers on the victim machine (HTTP, HTTPS, SOCKS, BNC and others)
expedites the uploading of additional modules (plug-ins)

Backdoor.Agobot.gen

Description Backdoor.Agobot.gen
This is a classical backdoor and allows a 'master' to control the victim machine remotely by sending commands via IRC channels.
Installation
Agobot copies itself into the Windows directory under random names and then registers itself in the system registry auto-run keys:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices]
Manifestations
Agobot connects to various IRC servers opening channels identified in the body of the worm. It is then ready to receive commands from the 'master', who can now download and launch files on the victim machine, scan other computers for vulnerabilities and install itself on these vulnerable machines.

Home